Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $$ bpep.wds - Entry point stopper [lhc645,2010] - WinDbg script
- .block
- {
- .catch
- {
- $$ part I
- $$ find entry point address (ldr)
- r? $t0 = &@$peb->Ldr->InLoadOrderModuleList
- r? $t1 = *(ntdll!_LDR_DATA_TABLE_ENTRY**)@$t0
- r $t2 = @@c++(@$t1->EntryPoint)
- .printf "Main module entry point 0x%I64X\n", @$t2
- $$ set breakpoint on ep
- bp @$t2
- $$ part II
- $$ set breakpoint on tls callbacks
- r $t1 = @@c++(@$t1->DllBase)
- .printf "Main module base 0x%I64X\n", @$t1
- r? $t2 = (ntdll!_IMAGE_NT_HEADERS64*)(*(unsigned long *)(@$t1+0x3c)+@$t1)
- .printf "PIMAGE_NT_HEADERS64: 0x%I64X\n", @$t2
- r $t0 = @@c++(@$t2->OptionalHeader.DataDirectory[9].VirtualAddress)
- .if (@$t0!=0)
- {
- r $t0 = @$t0 + @$t1
- .printf "PIMAGE_TLS_DIRECTORY64: 0x%I64X\n", @$t0
- $$ addressofcallbacks
- r? $t0 = *(void**)(@$t0+0x18)
- .printf "Address of callbacks %I64X\n",@$t0
- r? $t2 = *(void**)@$t0
- .while(@$t2!=0)
- {
- .printf "Callback %I64X\n",@$t2
- bp @$t2
- r $t0 = $t0+8
- r? $t2 = *(void**)@$t0
- }
- }
- .else
- {
- .printf "Tls directory is not found!\n"
- }
- $$ Go!
- g
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
